Creates a new field by evaluating the provided expression. The eval string
must always start with an assignment
(f=expr
). The result is stored in a field
with that name. In an expression, it's possible to supply names of fields,
strings and numbers. The operators available are
==
, !=
, as
well as +
,
-
, *
, and
/
and parenthesized expressions.
eval()
accepts multiple expressions to be evaluated,
separated by a comma, in the form of field_name =
expression
.
The following are all valid examples:
eval(a = 3)
eval(a = b, x = y + z)
In the context of an eval()
expression — unlike
filters — identifiers always denote field values. For example:
eval( is_warning= (loglevel==WARN) )
is most likely wrong; you want to write:
(loglevel=="WARN")
The order of evaluation of arguments is left to right.
The expression:
eval(f=expr)
only results in an assignment to f
when
expr
yields a result — which is not
the case when a field in the expression does not exist, or it's not a
number.
This means that fields are not created if the source event is missing a value.
If f
already existed as a field on the
event and expr
did not yield any result,
then f
is unchanged.
eval()
Examples
Get response size in KB
eval(responsesize = responsesize / 1024)
Add fields together
eval(c = a + b)
Match a field to the timespan. Count should be per minute (not 5 minutes as the bucket span is)
timechart(method, span=5min)
| eval(_count=_count/5)